#ifndef _PKINIT_H
#define _PKINIT_H
#include <krb5/krb5.h>
#include <krb5/preauth_plugin.h>
#include <k5-int-pkinit.h>
#include <profile.h>
#include "pkinit_accessor.h"
#define LONGHORN_BETA_COMPAT 1
#ifdef LONGHORN_BETA_COMPAT
extern int longhorn;
#endif
#ifndef WITHOUT_PKCS11
#include "pkcs11.h"
#define PKCS11_MODNAME "opensc-pkcs11.so"
#define PK_SIGLEN_GUESS 1000
#define PK_NOSLOT 999999
#endif
#define DH_PROTOCOL 1
#define RSA_PROTOCOL 2
#define TD_TRUSTED_CERTIFIERS 104
#define TD_INVALID_CERTIFICATES 105
#define TD_DH_PARAMETERS 109
#define PKINIT_CTX_MAGIC 0x05551212
#define PKINIT_REQ_CTX_MAGIC 0xdeadbeef
#define PKINIT_DEFAULT_DH_MIN_BITS 2048
#ifdef DEBUG
#define pkiDebug printf
#else
static inline void pkiDebug (const char *fmt, ...) { }
#endif
#define __FUNCTION__ __func__
#define PADATA_TO_KRB5DATA(pad, k5d) \
(k5d)->length = (pad)->length; (k5d)->data = (char *)(pad)->contents;
#define OCTETDATA_TO_KRB5DATA(octd, k5d) \
(k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
extern const krb5_octet_data dh_oid;
typedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context;
typedef struct _pkinit_req_crypto_context *pkinit_req_crypto_context;
typedef struct _pkinit_identity_crypto_context *pkinit_identity_crypto_context;
typedef struct _pkinit_plg_opts {
int require_eku;
int accept_secondary_eku;
int allow_upn;
int dh_or_rsa;
int require_crl_checking;
int dh_min_bits;
} pkinit_plg_opts;
typedef struct _pkinit_req_opts {
int require_eku;
int accept_secondary_eku;
int allow_upn;
int dh_or_rsa;
int require_crl_checking;
int dh_size;
int require_hostname_match;
int win2k_target;
int win2k_require_cksum;
} pkinit_req_opts;
#define PKINIT_ID_OPT_USER_IDENTITY 1
#define PKINIT_ID_OPT_ANCHOR_CAS 2
#define PKINIT_ID_OPT_INTERMEDIATE_CAS 3
#define PKINIT_ID_OPT_CRLS 4
#define PKINIT_ID_OPT_OCSP 5
#define PKINIT_ID_OPT_DN_MAPPING 6
typedef struct _pkinit_identity_opts {
char *identity;
char **identity_alt;
char **anchors;
char **intermediates;
char **crls;
char *ocsp;
char *dn_mapping_file;
int idtype;
char *cert_filename;
char *key_filename;
#ifndef WITHOUT_PKCS11
char *p11_module_name;
CK_SLOT_ID slotid;
char *token_label;
char *cert_id_string;
char *cert_label;
#endif
} pkinit_identity_opts;
struct _pkinit_context {
int magic;
pkinit_plg_crypto_context cryptoctx;
pkinit_plg_opts *opts;
pkinit_identity_opts *idopts;
};
typedef struct _pkinit_context *pkinit_context;
struct _pkinit_req_context {
int magic;
pkinit_req_crypto_context cryptoctx;
pkinit_req_opts *opts;
pkinit_identity_crypto_context idctx;
pkinit_identity_opts *idopts;
krb5_preauthtype pa_type;
};
typedef struct _pkinit_kdc_context *pkinit_kdc_context;
struct _pkinit_kdc_context {
int magic;
pkinit_plg_crypto_context cryptoctx;
pkinit_plg_opts *opts;
pkinit_identity_crypto_context idctx;
pkinit_identity_opts *idopts;
char *realmname;
unsigned int realmname_len;
};
typedef struct _pkinit_req_context *pkinit_req_context;
struct _pkinit_kdc_req_context {
int magic;
pkinit_req_crypto_context cryptoctx;
krb5_auth_pack *rcv_auth_pack;
krb5_auth_pack_draft9 *rcv_auth_pack9;
krb5_preauthtype pa_type;
};
typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context;
krb5_error_code pkinit_init_req_opts(pkinit_req_opts **);
void pkinit_fini_req_opts(pkinit_req_opts *);
krb5_error_code pkinit_init_plg_opts(pkinit_plg_opts **);
void pkinit_fini_plg_opts(pkinit_plg_opts *);
krb5_error_code pkinit_init_identity_opts(pkinit_identity_opts **idopts);
void pkinit_fini_identity_opts(pkinit_identity_opts *idopts);
krb5_error_code pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
pkinit_identity_opts **dest_opts);
char * idtype2string(int idtype);
char * catype2string(int catype);
krb5_error_code pkinit_identity_initialize
(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_opts *idopts,
pkinit_identity_crypto_context id_cryptoctx,
int do_matching,
krb5_principal princ);
krb5_error_code pkinit_cert_matching
(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
krb5_principal princ);
void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
void init_krb5_reply_key_pack(krb5_reply_key_pack **in);
void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
void init_krb5_auth_pack(krb5_auth_pack **in);
void init_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in);
void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
void init_krb5_typed_data(krb5_typed_data **in);
void init_krb5_subject_pk_info(krb5_subject_pk_info **in);
void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
void free_krb5_reply_key_pack(krb5_reply_key_pack **in);
void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
void free_krb5_auth_pack(krb5_auth_pack **in);
void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
void free_krb5_trusted_ca(krb5_trusted_ca ***in);
void free_krb5_typed_data(krb5_typed_data ***in);
void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
krb5_error_code pkinit_kdcdefault_strings
(krb5_context context, const char *realmname, const char *option,
char ***ret_value);
krb5_error_code pkinit_kdcdefault_string
(krb5_context context, const char *realmname, const char *option,
char **ret_value);
krb5_error_code pkinit_kdcdefault_boolean
(krb5_context context, const char *realmname, const char *option,
int default_value, int *ret_value);
krb5_error_code pkinit_kdcdefault_integer
(krb5_context context, const char *realmname, const char *option,
int default_value, int *ret_value);
krb5_error_code pkinit_libdefault_strings
(krb5_context context, const krb5_data *realm,
const char *option, char ***ret_value);
krb5_error_code pkinit_libdefault_string
(krb5_context context, const krb5_data *realm,
const char *option, char **ret_value);
krb5_error_code pkinit_libdefault_boolean
(krb5_context context, const krb5_data *realm, const char *option,
int default_value, int *ret_value);
krb5_error_code pkinit_libdefault_integer
(krb5_context context, const krb5_data *realm, const char *option,
int default_value, int *ret_value);
void print_buffer(unsigned char *, unsigned int);
void print_buffer_bin(unsigned char *, unsigned int, char *);
#include "pkinit_crypto.h"
#endif